Shibboleth IDP and mixed Windows 2003/2008 AD servers

[Paul Haldane]

We have a problem which sounds related to, but different from, that 
described in thread http://marc.info/?l=kerberos&m=126927485320222&w=2 and 
addressed by http://support.microsoft.com/?kbid=978055

We use Kerberos authentication against AD for controlling access to web 
resources using shibboleth (java IdP, Tomcat, Apache, Centos 5.2). 
Initial problem was that one account was intermittently failing 
authorisation after changing password.  This happened to be my account so 
after deciding that it wasn't just poor typing we investigated further.

We have five AD servers; four running 2008 and one still running 2003.

Resetting the password for the test account (always to the same password) 
and then using a script with webisoget to login we found the following ...

1. Resetting password on the 2003 AD server gave 100% success.

2. Resetting on any of the 2008 AD servers results in roughly 20% success 
(ie login failed 4 times out of 5).  Implies that auth works when talking 
to the 2003 server but not the 2008 servers.

[straight forward kinit works 100% in both cases]

This seems counter to the notes attached to 978055 which suggest that 
problem goes away when password is reset on 2008.

We're not getting reports of user problems (but that could just mean that 
no-one ever changes their password).

We're scheduled to upgrade the last 2003 AD server to 2008 in a couple of 
weeks.  My hope is that this will make the problem go away rather than 
moving to 100% failure (but I'd like something a bit more than hope).

Has anyone seen this before and come out the other end?  We've tried 
tweaking enctype settings on the IDP side.  What we might do next week is 
set up a test AD domain and experiment on that (though our Windows admins 
point out that as our production domain started out as 2000 and so a fresh 
install of 2003+2008 may not give identical results).

Paul
-- 
Paul Haldane
Information Systems and Services
Newcastle University